Solved

DNS Problem

Posted on 2004-11-01
394 Views
Last Modified: 2010-04-19
We have two Windows 2003 servers that function as domain controllers and DNS servers.  For DNS, they log entries for local workstations and point to our ISP for web name resolution.  About a week ago, no client can access www.yahoo.com.  Check with our ISP and they report OK (also changed my DNS settings to their servers on my local workstation and can access yahoo).  From what I understand, flushing the DNS cache on both servers should fix the problem, but I want to know (1) why this should matter if it's pointing out to the ISP for the info anyway and (2) what ramifications are of flushing the cache.

Thanks!
0
Question by:munch007
    16 Comments
     
    LVL 23

    Expert Comment

    by:rhandels
    Hi,

    DNS servers keep a cache of the Domain names that are resolved. If your server has a wrong DNS entry in his cache (every machine has  cache) it will falsly resolve. So the flushdns option will flush the local DNS cache the machine has.

    This will ave absolutely no effect on performance or anything else on your servers. You can do this without woorying about anything. The server will start creating a new local cache by resolving the domain names....
    0
     

    Author Comment

    by:munch007
    Flushed DNS cache and still cannot get to www.yahoo.com.  Any suggestions, based upon info above?

    0
     
    LVL 23

    Expert Comment

    by:rhandels
    >>Flushed DNS cache and still cannot get to<<

    I allready though that this wasn't going to solve the problem...

    If you go to the DNS server, are you able to go to other sites??? Browse the internet?? And what's between your server and the internet??
    0
     
    LVL 11

    Expert Comment

    by:cfairley
    Also, when you reboot the server, this flushes the cache.

    The reason this happens at time is that sites such as Yahoo have many Web servers.  If you go to the site, the DNS server will store the IP/DNS name in the cache.  If that specific server from Yahoo goes down, then the entry in the cache is wrong and will give it's clients the wrong information.  So by flushing the cache on the server will allow it to get rid of the wrong information.  
    0
     
    LVL 82

    Expert Comment

    by:oBdA
    Your DNS settings are incorrect. For an AD domain to work properly, your domain members have to use your internal DNS *only*, and use the root hints or forwarders for external lookups.
    The following settings should correct the issue:

    *** TCP/IP-Settings ***
    * On your first DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
    * On your second DC, let it point to the first DC as primary, to itself as secondary.
    * On your domain members, enter both DCs as primary and secondary DNS.
    * Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS servers *only*.

    *** DNS Server Settings ***
    * Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
    * Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
    * In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
    * It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).

    Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
    For further troubleshooting, you can use dcdiag.exe and netdiag.exe to check your system for errors in the domain setup.

    Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
    http://support.microsoft.com/?kbid=291382

    Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
    http://support.microsoft.com/?kbid=825036

    HOW TO: Configure DNS for Internet Access in Windows Server 2003
    http://support.microsoft.com/?kbid=323380

    HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
    http://support.microsoft.com/?kbid=816567

    How to Verify the Creation of SRV Records for a Domain Controller
    http://support.microsoft.com/?kbid=241515

    How Domain Controllers Are Located in Windows
    http://support.microsoft.com/?kbid=247811

    How Domain Controllers Are Located in Windows XP
    http://support.microsoft.com/?kbid=314861

    SRV Resource Records May Not Be Created on Domain Controller
    http://support.microsoft.com/?kbid=239897
    0
     

    Author Comment

    by:munch007
    I can browse to any website (as far as I can tell) on the DNS server, clients, etc.  Cisco PIX firewall is between DNS server and internet.
    0
     

    Author Comment

    by:munch007
    Checked all settings mentioned by oBdA.  All are correct, ISP's servers only appear on the forwarders tab.  I just temp changed my local DNS to my ISP to test.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    how do they connect to www.yahoo.com ? NAT/Routed/Proxy?
    what was the error messages, when not reaching www.yahoo.com?
    0
     

    Author Comment

    by:munch007
    A user's internet permission is granted thru our firewall...once I permit the IP in the firewall they can connect.  We also have a proxy server, but users cannot connect to yahoo thru it either.  Error is "cannot find yahoo.com"  Cannot ping the site either.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    btw, for caching reasons, one dns should forward to the second. only the second should forward to internet.
    no one of your dns servers has a "." zone?
    did you update the root hints file sometimes?
    which dns servers are your dc's using?
    0
     
    LVL 23

    Accepted Solution

    by:
    Hi,

    There seems to be a compatability problem with Windows Server 2003 and PIX firewalls that could cause these kind of conclifts.. Try looking ath this other thread, it might help

    http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21138215.html

    I will paste the anser to that question here... It a copy from another post (just as a small reminder)..



    This is a known compatibility problem between Windows Server 2003's DNS and some firewalls, usually PIX.

    See the following articles for details:

    http://www.jsiinc.com/SUBN/tip6900/rh6967.htm
    http://support.microsoft.com/default.aspx?scid=kb;en-us;828263
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_EDNSsupport.asp

    Hope that helps!!

    Eli


    Specially the second link is interesting.... Hope it helps..
    0
     

    Author Comment

    by:munch007
    Thanks!
    0
     
    LVL 23

    Expert Comment

    by:rhandels
    So it did solve your problem??? Glad to here..
    0
     

    Author Comment

    by:munch007
    Worked like a champ!  I appreciate the help
    0
     
    LVL 23

    Expert Comment

    by:rhandels
    Ur welcome...
    0
     

    Expert Comment

    by:SteveIN
    Thanks so much for this solution!!!! It solved my problem too. I was having trouble with people getting to sites like CNN.com and Ebay.com, and  it was just driving me mad and causing me to question everything I knew about setting up DNS. Thanks again! Here is also another link that has a solution about how to tell Windows 2003 to use a 512-byte UDP packet without totally disabling all the EDNS0 features.

    http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now